Multiple vulnerabilities in Ansible Automation Platform 2.4 packages

Published: 2024-06-19

Risk	High
Patch available	YES
Number of vulnerabilities	20
CVE-ID	CVE-2024-30251 CVE-2024-27351 CVE-2023-5752 CVE-2024-3772 CVE-2024-28849 CVE-2024-27306 CVE-2024-21503 CVE-2024-26130 CVE-2023-49083 CVE-2024-1135 CVE-2024-3651 CVE-2024-34064 CVE-2024-28219 CVE-2023-50447 CVE-2024-35195 CVE-2024-32879 CVE-2024-4340 CVE-2024-24783 CVE-2023-45288 CVE-2023-45290
CWE-ID	CWE-835 CWE-1333 CWE-77 CWE-185 CWE-200 CWE-79 CWE-20 CWE-476 CWE-444 CWE-400 CWE-119 CWE-94 CWE-254 CWE-178 CWE-674 CWE-388
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #19 is available.
Vulnerable software	python3x-sqlparse (Red Hat package) Operating systems & Components / Operating system package or component python3x-social-auth-app-django (Red Hat package) Operating systems & Components / Operating system package or component python3x-requests (Red Hat package) Operating systems & Components / Operating system package or component python3x-pydantic (Red Hat package) Operating systems & Components / Operating system package or component python3x-pyOpenSSL (Red Hat package) Operating systems & Components / Operating system package or component python3x-pulpcore (Red Hat package) Operating systems & Components / Operating system package or component python3x-pulp-ansible (Red Hat package) Operating systems & Components / Operating system package or component python3x-pillow (Red Hat package) Operating systems & Components / Operating system package or component python3x-jinja2 (Red Hat package) Operating systems & Components / Operating system package or component python3x-idna (Red Hat package) Operating systems & Components / Operating system package or component python3x-gunicorn (Red Hat package) Operating systems & Components / Operating system package or component python3x-galaxy-ng (Red Hat package) Operating systems & Components / Operating system package or component python3x-cryptography (Red Hat package) Operating systems & Components / Operating system package or component python3x-black (Red Hat package) Operating systems & Components / Operating system package or component python3x-aiohttp (Red Hat package) Operating systems & Components / Operating system package or component receptor (Red Hat package) Operating systems & Components / Operating system package or component python-sqlparse (Red Hat package) Operating systems & Components / Operating system package or component python-social-auth-app-django (Red Hat package) Operating systems & Components / Operating system package or component python-requests (Red Hat package) Operating systems & Components / Operating system package or component python-pydantic (Red Hat package) Operating systems & Components / Operating system package or component python-pyOpenSSL (Red Hat package) Operating systems & Components / Operating system package or component python-pulpcore (Red Hat package) Operating systems & Components / Operating system package or component python-pulp-ansible (Red Hat package) Operating systems & Components / Operating system package or component python-pillow (Red Hat package) Operating systems & Components / Operating system package or component python-jinja2 (Red Hat package) Operating systems & Components / Operating system package or component python-idna (Red Hat package) Operating systems & Components / Operating system package or component python-gunicorn (Red Hat package) Operating systems & Components / Operating system package or component python-galaxy-ng (Red Hat package) Operating systems & Components / Operating system package or component python-cryptography (Red Hat package) Operating systems & Components / Operating system package or component python-black (Red Hat package) Operating systems & Components / Operating system package or component python-aiohttp (Red Hat package) Operating systems & Components / Operating system package or component automation-hub (Red Hat package) Operating systems & Components / Operating system package or component automation-eda-controller (Red Hat package) Operating systems & Components / Operating system package or component automation-controller (Red Hat package) Operating systems & Components / Operating system package or component ansible-rulebook (Red Hat package) Operating systems & Components / Operating system package or component ansible-core (Red Hat package) Operating systems & Components / Operating system package or component ansible-automation-platform-installer (Red Hat package) Operating systems & Components / Operating system package or component
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 20 vulnerabilities.

1) Infinite loop

EUVDB-ID: #VU89159

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-30251

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can send a specially crafted POST request, consume all available system resources and cause denial of service conditions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Inefficient regular expression complexity

EUVDB-ID: #VU87033

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-27351

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in django.utils.text.Truncator.words(). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Command Injection

EUVDB-ID: #VU84849

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-5752

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip. A remote attacker who controls the repository can use the specified Mercurial revision to inject arbitrary configuration options to the "hg clone" call (ie "--config").

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Incorrect Regular Expression

EUVDB-ID: #VU88853

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-3772

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted email string to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU87551

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-28849

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to credentials are shared via headers when following cross-domain redirects. A remote attacker can gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

EUVDB-ID: #VU88804

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-27306

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the web.static(..., show_index=True) method in index pages for static file handling. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU87583

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21503

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) NULL pointer dereference

EUVDB-ID: #VU87129

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-26130

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) NULL pointer dereference

EUVDB-ID: #VU83930

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-49083

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when calling the load_pem_pkcs7_certificates() or load_der_pkcs7_certificates() functions. A remote attacker can pass specially crafted PKCS7 blob/certificate certificate to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU89167

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-1135

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests when handling Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Resource exhaustion

EUVDB-ID: #VU88828

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-3651

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the idna.encode() function. A remote attacker can pass an overly long domain name to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Cross-site scripting

EUVDB-ID: #VU89677

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-34064

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the "xmlattr" filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Buffer overflow

EUVDB-ID: #VU88063

Risk: Medium

CVSSv4.0: 4.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-28219

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in "_imagingcms.c". A remote user can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Code Injection

EUVDB-ID: #VU85743

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-50447

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the PIL.ImageMath.eval function. A remote attacker can send a specially crafted input to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Security features bypass

EUVDB-ID: #VU90156

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-35195

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to the session object does not verify requests after making first request with verify=False. A local administrator can bypass authentication.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Improper Handling of Case Sensitivity

EUVDB-ID: #VU89132

Risk: Medium

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-32879

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to default case-insensitive collation in MySQL or MariaDB databases. A remote user can bypass authentication process and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Uncontrolled Recursion

EUVDB-ID: #VU89381

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-4340

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an uncontrolled recursion when processing a heavily nested list in sqlparse.parse(). A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Error Handling

EUVDB-ID: #VU87196

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-24783

CWE-ID: CWE-388 - Error Handling

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in crypto/x509 due to improper validation of a certificate chain that contains an unknown public key. A remote attacker can pass a specially crafted certificate to the application and perform a denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Resource exhaustion

EUVDB-ID: #VU88184

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2023-45288

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single HTTP/2 stream. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

20) Resource exhaustion

EUVDB-ID: #VU87197

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-45290

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in net/http due to application does not properly control consumption of internal resources when parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el8ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el8ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el8ap

automation-controller (Red Hat package): before 4.5.7-1.el8ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el8ap

ansible-core (Red Hat package): before 2.15.11-1.el8ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el8ap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:3781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.